I know this has been asked a million times, so I'm sorry for bringing it up again, but I've tried everything I've read to get this to work. I've got a RHLE4 server set up as a domain controller (will post my smb.conf below). I can map a drive from XP and copy data to/from with no problems. When I try to add the domain, it prompts me for ID/PW (which tells me it's at least *seeing the domain*) but when I enter my Samba ID/PW, I get "Access is Denied".

# server string is the equivalent of the NT Description field
server string = Samba Server

# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
; hosts allow = 192.168.1. 192.168.2. 127.

# if you want to automatically load your printer list rather
# than setting them up individually then you'll need this
printcap name = /etc/printcap
load printers = yes

# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd

# The following are needed to allow password changing from Windows to
# update the Linux system password also.
# NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above.
# NOTE2: You do NOT need these to allow workstations to change only
# the encrypted SMB passwords. They allow the Unix password
# to be kept in sync with the SMB password.
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /etc/samba/smb.conf.%m

# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
; interfaces = 192.168.12.2/24 192.168.13.2/24

# All NetBIOS names must be resolved to IP Addresses
# 'Name Resolve Order' allows the named resolution mechanism to be specified
# the default order is "host lmhosts wins bcast". "host" means use the unix
# system gethostbyname() function call that will use either /etc/hosts OR
# DNS or NIS depending on the settings of /etc/host.config, /etc/nsswitch.conf
# and the /etc/resolv.conf file. "host" therefore is system configuration
# dependant. This parameter is most often of use to prevent DNS lookups
# in order to resolve NetBIOS names to IP Addresses. Use with care!
# The example below excludes use of name resolution for machines that are NOT
# on the local network segment
# - OR - are not deliberately to be known via lmhosts or via WINS.
; name resolve order = wins lmhosts bcast

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
; wins server = w.x.y.z

# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
; wins proxy = yes

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
dns proxy = no

# Case Preservation can be handy - system default is _no_
# NOTE: These can be set on a per share basis
; preserve case = no
; short preserve case = no
# Default case is normally upper case for all DOS files
; default case = lower
# Be very careful with case sensitivity - it can break things!
; case sensitive = no

# Un-comment the following and create the netlogon directory for Domain Logons
[netlogon]
comment = Network Logon Service
path = /home/netlogon
writable = no
public = no

# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;[Profiles]
; path = /home/profiles
; browseable = no
; guest ok = yes

# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = no
writable = no
printable = yes

# This one is useful for people to share files
;[tmp]
; comment = Temporary file space
; path = /tmp
; read only = no
; public = yes

I'm having the exact same problem, except on the latest stable Debian (Sarge). I have even gone into my WinXP machine and disabled "Use simple file sharing" because of another error I was getting. After I rebooted, I'm back to "Access Denied". When prompted for UID/PWD to join the domain, I am entering "domainname\username" for the user. Here is my smb.conf:

I tried disabling wins, still get 'access is denied'. And tried the host allow option... same error. :(

gv_rajasekhar

08-31-2006 12:41 PM

along with the nmbd log file, check the system log file which you r checking.make sure root has a samba password.i had similar problem with that .i will try to post smb.conf file. linux has great advantage of log files.use these things any application

blackraider

08-31-2006 01:43 PM

First off : Had you tried to add some users to Samba with smbpasswd?

Second : Had you opened Samba ports in your firewall/iptables (137-139 and 445)?

Trird : Had you allowed the Ip's of your network to connect in your firewall/iptables and configured NAT and masquerading (for extranet access)?

In my little experience the steps I'd follow to get a Samba domain running and up was:

* Install and configure Samba
* Add users to Samba with smbpasswd and machines and users with useradd
(users must exist in both Linux and Samba for properly running)
* Open Samba ports in my firewall
* Add IP's of my networked machines to my firewall
* Create user's home directories
* Create and config the shares

Well, that's all. I hope this helps.

linuxpng2

08-31-2006 04:51 PM

well, i turned off wins support and i'm now able to connect to the domain when logging in as root (again, this is after i've done the 'registry hack' that people have posted about). I've read on some sites that once you've logged in as root, it has 'authenicated' your machine and you should be able to log in with any other valid samba id.. first question, how do you 'log out' of root? i mean, i've already connected to the domain, rebootedm have the option of logging back into my machine using that domain.. does that mean i should be able to log into windows itself with any valid samba id? if so, i can log into windows with my personal samba id, but.. second question, now obviously my entire windows desktop is different (i assume, because it's like i'm logging in with a different id). is there something i can disable so it will still load my normal windows workspace? or, would this not happen if my windows id and my samba id were the same (because they are currently different).

thanks for all the help so far :)

New2Linux2

09-01-2006 06:46 PM

Quote:

Originally Posted by gv_rajasekhar

first try to locate the problem
eck /etc/log/samba/nmbd.log file
this give allthe details

most frequent problem is with wins.you need to allow the host."host allow=192.16.1."

if the problem persist try with option the wins support=no

I am still unable to join my domain. Sarge's nmbd.log (/var/log/samba/log.nmbd) has no errors in it. Nothing failed to load and it shows that the server is running as Master browser, Domain Master and WINS server without issue. Just to be on the safe side, I went ahead and disabled WINS, just to see. Unfortunately, that had no effect. Syslog (/var/log/syslog) also is devoid of errors/failures. The same goes for my smbd logfile (/var/log/samba/log.smbd).

When I tried the "host allow=..." option, and then ran testparm, I got "Unknown parameter encountered: 'host allow' Ignoring unknown parameter 'host allow'" so I have removed it. I have added a root password to samba with "smbpasswd -a root" along with several other usernames and machine accounts. All accounts were first created using useradd, and then added to Samba.

The server is inside our network and behind our firewall/router. I wouldn't think that I would need to open the Samba ports in my firewall simply because I do not want any samba traffic passing through the firewall. Am I mistaken in that?

All user's shares and home directories have been created with permissions assigned. Of course, I'm unable to test that fully because I'm unable to have a single system join the domain still. If it helps any, my smb.conf was created using the "How To" available on Samba.org's site (Chapter 3: Secure Office Networking). The initial smb.conf was renamed to smb.conf.master and all modifications that take place are made to that file. When I'm done, testparm tells me whether or not I misspelled anything. I then use "testparm /etc/samba/smb.conf.master > /etc/samba/smb.conf" to create the main config file. If I make any changes, I then follow up with "smbd restart" and "nmbd restart". What am I missing?

New2Linux2

09-01-2006 07:15 PM

Quote:

Originally Posted by linuxpng2

well, i turned off wins support and i'm now able to connect to the domain when logging in as root (again, this is after i've done the 'registry hack' that people have posted about).

Good for you. I hope to say the same soon.

Quote:

I've read on some sites that once you've logged in as root, it has 'authenicated' your machine and you should be able to log in with any other valid samba id..

This is technical inaccurate. You aren't really logging in as root. You are logged into your local machine as "localmachine\userA" when you ask to join the domain. Because the domain controller has a seperate list of users (domainuser\userA is a different user than localmachine\userA) it needs to know whether or not your machine has permission to become part of its domain. That is why you "Authenticate" to it with the domain admin (or root) username and password. Once it verifies that info, your machine becomes part of the domain and is given access to a new list of users: Domain Users.

Quote:

first question, how do you 'log out' of root? i mean, i've already connected to the domain, rebootedm have the option of logging back into my machine using that domain.. does that mean i should be able to log into windows itself with any valid samba id?

Rebooting logs you out automatically. When it comes time to log in to windows again, you can now login with any valid samba id (Domain User).

Quote:

if so, i can log into windows with my personal samba id, but.. second question, now obviously my entire windows desktop is different (i assume, because it's like i'm logging in with a different id).

CORRECT!!! You are logging in with a different id, one that your local computer has no history of.

Quote:

is there something i can disable so it will still load my normal windows workspace? or, would this not happen if my windows id and my samba id were the same (because they are currently different).

thanks for all the help so far :)

No. Even if your old windows (aka: localmachine) id and your new samba id were the same username, they would still be different because of the reasons outlined above. One is a domain member and the other is not. If you now browse the hard drive of your Windows computer to the Documents and Settings folder, you will see a folder for your old localmachine account and a folder for your new samba domain user account. This is just another indication that Windows sees both users as seperate entities. One thing you can do is export all of your old settings from your localmachine account to your new domain user account using the "Files and Settings Transfer Wizard" - <Start> -> All Programs -> Accessories -> System Tools -> Files and Settings Transfer Wizard. Let me know if you need help using that tool. It should be fairly self-explanatory.

Hopefully, one day I'll have some *nix answers too (other than RTFM).;)

New2Linux2

09-06-2006 05:00 PM

Update: Still unable to join domain

I added the "hosts allow = 127.0.0.1 10.1.1.0/24" line to my smb.conf and got a different error: "parameter incorrect". I modified that line to be "hosts allow = 127.0.0.1 10.1.1" and got the same error. I rebooted the server and now am getting "The network path was not found."

I really am lost here, so any help at all would be much appreciated. My log.nmbd is still showing that the server is running as the domain master browser and the local master browser. :confused:

zhizaki

09-06-2006 08:51 PM

If I remember correctly, you are supposed to have the machine accounts added too. Like a machine account for each workstation connecting to the server.

fotoguy

09-06-2006 09:22 PM

Quote:

Originally Posted by zhizaki

If I remember correctly, you are supposed to have the machine accounts added too. Like a machine account for each workstation connecting to the server.

You can add these machines accounts on the fly in your smb.conf files, It has been over a year now since I had a domain controller up and runing. Here is my old smb.conf so you can have a look at it.

Also make sure you don't have a firewall running at the time of testing your connection. Also check your /etc/hosts.deny file if it has an entry of ALL:ALL then you will need to place and entry in your /etc/hosts.allow file to allow your network to connect.

I have those lines in my smb.conf (posted above) for creating machine accounts on the fly when the machine tries to join the domain. Just for GP's I went ahead and created an account in samba for a machine, but I'm still getting errors. In XP, when I try to join the domain, I get the pop up asking for credentials, then (about 30 seconds later) I get the error "The network path was not found" regardless of what I enter for credentials. This is even more confusing for me. If I try to join a non-existant domain (foobar.org) I don't even get the chance to authenticate. This tells me that XP is seeing the domain controller and is being asked to authenticate, inidicating two-way communiation between them. It's just not authenticating. What would cause this?

Once again, here is my info:

All user accounts have been created in Debian (one for each domain user)

Matching user accounts were then created in Samba (one for each domain user)

Domain groups were created and users sorted into their groups

Domain shares have been created with permissions assigned by group

User shares have been created with permissions assigned by user

Machine accounts are supposed to be created "on the fly" when the machine joins the domain

I have edited the registry and security settings in XP from suggestions in other posts here on LQ concerning this problem

FYI: I copied fotoguy's smb.conf into mine, changed the domain name and path information to match my setup and restarted samba. Same problems.

fotoguy

09-12-2006 06:43 PM

Quote:

Originally Posted by New2Linux2

"The network path was not found"

OK I think I remember getting the same or similar error once before when I was trying to get a XP machine to join samba. If I remember correctly on the XP machine try changing the dns settings, set dns1 to the address of the samba server before trying to add it to the samba domain controller, I think you may need to restart the XP machine first before trying to add it.

New2Linux2

09-12-2006 08:02 PM

Quote:

Originally Posted by fotoguy

If I remember correctly on the XP machine try changing the dns settings, set dns1 to the address of the samba server before trying to add it to the samba domain controller, I think you may need to restart the XP machine first before trying to add it.

That makes sense. Unfortunately, no effect. I rebooted XP, changed dns1 to my DC's IP (running bind9 for DNS), rebooted again and still got the "network path not found" error.